#!/bin/bash
# Author: Jan Vcelak <jvcelak@redhat.com>
set -e
# default options
CERTDB_DIR=/etc/openldap/certs
CERT_NAME="OpenLDAP Server"
PASSWORD_FILE=
HOSTNAME_FQDN="$(hostname --fqdn)"
ALT_NAMES=
ONCE=0
# internals
RANDOM_SOURCE=/dev/urandom
CERT_RANDOM_BYTES=256
CERT_KEY_TYPE=rsa
CERT_KEY_SIZE=1024
CERT_VALID_MONTHS=12
# parse arguments
usage() {
printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
printf " [-p password-file] [-h hostnames]\n" >&2
printf " [-a dns-alt-names] [-o]\n" >&2
exit 1
}
while getopts "d:n:p:h:a:o" opt; do
case "$opt" in
d)
CERTDB_DIR="$OPTARG"
;;
n)
CERT_NAME="$OPTARG"
;;
p)
PASSWORD_FILE="$OPTARG"
;;
h)
HOSTNAME_FQDN="$OPTARG"
;;
a)
ALT_NAMES="$OPTARG"
;;
o)
ONCE=1
;;
\?)
usage
;;
esac
done
[ "$OPTIND" -le "$#" ] && usage
# generated options
ONCE_FILE="$CERTDB_DIR/.slapd-leave"
PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
# verify target location
if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
exit 0
fi
if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
exit 1
fi
printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
if [ ! -r "$PASSWORD_FILE" ]; then
printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
exit 1
fi
if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
exit 1
fi
# generate server certificate (self signed)
CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap)
dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
-S -x -n "$CERT_NAME" \
-s "CN=$HOSTNAME_FQDN" \
-t TC,, \
-k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
-v $CERT_VALID_MONTHS \
-8 "$ALT_NAMES" \
&>/dev/null
rm -f $CERT_RANDOM
# tune permissions
if [ "$(id -u)" -eq 0 ]; then
chgrp ldap "$PASSWORD_FILE"
chmod g+r "$PASSWORD_FILE"
else
printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
printf " load it's private key from the certificate database.\n" >&2
fi
touch "$ONCE_FILE"
exit 0